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DETAILED ACTION 



Priority 

Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers 
have been placed of record in the file. 

Drawings 

The drawings were received on 09/10/09. These drawings are accepted. 

Claim Rejections - 35 USC § 112 
The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specificalion shall conlahi a wrillcn description of the invention, and of the manner and process of making 
and using it, in such lull, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the hcst mode 
contemplatcd hy the inventor of carrying out his invention. 

Claims 1-3 and 5-20 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter which 
was not described in the specification in such a way as to reasonably convey to one skilled in the 
relevant art that the inventor(s), at the time the application was filed, had possession of the 
claimed invention. 

Claims 1-3 and 14-16 recite the limitation "single safety controller". There is no support 
in the original disclosure for this limitation. These limitations should be changed back to "single 
controller". 
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Claims 5-13 and 17-20 depend from claims 1 and 15 and incorporate the same 
deficiencies. 

The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claims 10-12 and 14 are rejected under 35 U.S.C. 112, second paragraph, as being 
indefinite for failing to particularly point out and distinctly claim the subject matter which 
applicant regards as the invention. 

Claims 10-12 depend from a cancelled claim. 

Claim 14 recites the limitation "the redundant controller unit" in line 1. There is 
insufficient antecedent basis for this limitation in the claim. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

Claims 1-3 and 5-20 are rejected under 35 U.S.C. 102(b) as being anticipated by Andreas 
Schenk. "SIMATIC S7-400F/FH: Safety-Related Programmable Logic Controller". 
SAFECOMP 2000. LNCS 1943 (2000): 286-293. 

Schenk discloses: 
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1 . A method to increase a safety integrity level of a single safety controller for control of 
real world objects, the method comprising: 

attaching to the single controller (e.g., Fig. 1: "1 standard CPU 417-4H") a safety- 
hardware unit (e.g.. Fig. 1: "fail-safe I/O module") wherein the safety-hardware unit 
communicates with a central processing unit of the single controller, 

connecting a bus (e.g.. Fig. 1: "PROFIBUS") to the single safety controller (e.g.. Fig. 1: 
"1 standard CPU") and connecting an input/output unit to the bus (e.g.. Fig. 1, pg. 287: "Safety- 
related input from and output to the process are done with special fail-safe I/O modules"), 

downloading safety-related configuration data and/or diagnostic information to the 
attached safety-hardware unit (e.g., pg. 288: "The fail-safe I/O modules are configured with the 
standard hardware configuration tool", pg. 287: "external fault diagnostics") and downloading a 
control function software to the single controller (e.g. Fig. 1, pg. 291: "not safety-related 
application program"), 

configuring the attached safety-hardware unit to execute logic, which depends on the 
downloaded safety-related configuration data and/or diagnostic information (e.g., pg. 288: "The 
fail-safe I/O modules are configured with the standard hardware configuration tool", pg. 287: 
"The fail-safe 1/0 modules provide an internal loo2 structure with comparison, self-tests and 
external fault diagnostics"), 

actively or passively setting output values of the single controller to a safe state for online 
safety control (e.g.. Fig. 1, pg. 287: "Safety-related input from and output to the process are done 
with special fail-safe I/O modules"). 
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obtaining access to a plurality of input and output values of a real world object through 
the bus (e.g., Fig. 1, pg. 287: "Safety-related input from and output to the process are done with 
special fail-safe I/O modules"), and 

verifying a validity of the bus communication with the attached safety hardware unit 
(e.g., pg. 290: "the checksums of the safety telegrams sent are invalid and fault detection and 
reaction is done by the recipients of safety telegrams, i.e., fail-safe output modules"). 

2. The method according to claim 1, wherein the single safety controller has the 
capability of executing a set of non-safety critical control functions, which set of non-safety 
critical control functions is the same before as well as after the safety hardware unit is attached 
(e.g. pg. 291: "Safety-related and not safety-related application program can be processed by the 
same CPU"). 

3. The method according to claim 2, wherein the configuring comprises: 

downloading to the attached safety hardware unit diagnostic information, which 
previously was automatically generated by a software tool as a result of user's configuration of 
the single safety controller and which diagnostic information is used in the attached safety 
hardware unit during safety critical control (e.g., pg. 288: "The fail-safe I/O modules are 
configured with the standard hardware configuration tool", pg. 287: "external fault diagnostics"). 

5. The method according to claim 1, wherein the timing supervision of the controller 
is verified in the attached safety hardware mit (e.g., pg. 289: "Cycle time is checked. . .indirectly 
by the recipients of safety telegrams waiting for a new sequence number in the safety telegram"). 
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6. The method according to claim 1, wherein correct sequence of code logic is 
verified in the attached safety hardware unit (e.g., pg. 289: "Cycle time is checked. . .indirectly by 
the recipients of safety telegrams waiting for a new sequence number in the safety telegram"). 

7. The method according to claim 1, wherein correctness of memory content of the 
controller is verified in the attached safety hardware unit (e.g., pg. 290: "Self-tests include SP7- 
ASIC, RAM and CRC of code blocks and operating system"). 

8. The method according to claim 1, wherein a download of new control 
functionality logic to the controller is verified in the attached safety hardware unit (e.g., pg. 290: 
"Self-tests include SP7-AS1C, RAM and CRC of code blocks and operating system"). 

9. The method according to claim 1, wherein the attached safety hardware unit 
performs checks in order to allow only users logged on as safety classified engineers and safety 
classified operators to modify the control fimctionality logic and parameters (e.g., pg. 290: 
"password"). 

10. The method according to claim 4, wherein the bus communication verification 
logic in the attached safety hardware unit is implemented diverse (e.g., pg. 290: "Comparison of 
the diverse results of the safety-related application program and fault reaction is done. . .indirectly 
by the recipients of the safety telegrams sent by the safety-related application program, i.e., fail- 
safe output modules"). 

1 1 . The method according to claim 4, wherein the attached safety hardware unit is 
diverse generating a safety related header for the bus communication (e.g., pg. 290: "Comparison 
of the diverse results of the safety-related application program and fault reaction is 
done... indirectly by the recipients of the safety telegrams sent by the safety-related application 
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program, i.e., fail-safe output modules", "This safety protocol is... implemented in the fail-safe 
I/O modules"). 

12. The method according to claim 11, wherein the input/output unit has two diverse 
implementations each verifying the correctness of the bus traffic and each generating a safety 
related header for the bus communication (e.g., pg. 290: "Comparison of the diverse results of 
the safety-related application program and fault reaction is done... indirectly by the recipients of 
the safety telegrams sent by the safety-related application program, i.e., fail-safe output 
modules", pg. 287: "This safety protocol is. . .implemented in the fail-safe I/O modules"). 

13. The method according to claim 1, wherein the attached safety hardware unit 
comprises a first and a second module in a redundant configuration, the second module is 
updated with data that exists first module at the time of a failure and the second module takes 
over the safety related control of the control system fi-om the first module if a failure of the first 
module is detected (e.g., Fig. 5: "redundant fail-safe I/O modules"). 

14. The method according to claim 13, wherein the redundant controller unit is 
attached to the single safety controller, which takes over in case of a failure of a primary 
controller and the redundant controller unit establish communication with either the active first 
module or the active second module of the attached safety hardware unit (e.g.. Fig. 5: "redundant 
CPU417-4H"). 

15. A single or 1 -channel control system intended for safety-related control of real- 
world objects, comprising: 

a single main central processing unit handling main processes of a single safety controller 
(e.g.. Fig. 1: "1 standard CPU 417-4H"), 
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a safety-hardware unit (e.g., Fig. 1 : "fail-safe I/O module") attached to said single safety 
controller (e.g., Fig. 1 : "1 standard CPU 417-4H"), the safety-hardware unit comprising means to 
increase a safety-integrity level of the single safety controller and comprising means to set output 
values of the single safety controller in a safe state for online safety control (e.g., Fig. 1, pg. 287: 
"Safety-related input from and output to the process are done with special fail-safe I/O 
modules"). 

16. The confrol system according to claim 15, wherein the safety controller has the 
capability of executing a set of non-safety critical confrol fimctions, which set of non-safety 

critical control functions is the same before as well as after the safety hardware unit is attached 
(e.g. pg. 291: "Safety-related and not safety-related application program can be processed by the 
same CPU"). 

17. The confrol system according to claim 16, further comprising: means for 
downloading to the attached safety hardware unit diagnostic information, which previously was 
automatically generated by a software tool as a result of user's configuration of the controller and 
which diagnostic information is used in the attached safety hardware unit during safety critical 
confrol (e.g., pg. 288: "The fail-safe I/O modules are configured with the standard hardware 
configuration tool", pg. 287: "external fault diagnostics"). 

18. The control system according to claim 17, further comprising: 

an input/output unit (e.g.. Fig. 1, pg. 287: "Safety-related input from and output to the 
process are done with special fail-safe I/O modules") connected to the confroUer by a bus (e.g., 
Fig. 1 : "PROFIBUS") and the vahdity of the bus communication is verified in the attached safety 
hardware unit (e.g., pg. 290: "the checksums of the safety telegrams sent are invalid and fault 
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detection and reaction is done by the recipients of safety telegrams, i.e., fail-safe output 
modules"). 

19. The control system according to claim 18, wherein the bus communication 
verification logic in the attached safety hardware unit is implemented diverse (e.g., pg. 290: 

"Comparison of the diverse results of the safety-related application program and fault reaction is 
done... indirectly by the recipients of the safety telegrams sent by the safety-related application 
program, i.e., fail-safe output modules"). 

20. The control system according to claim 19, wherein the attached safety hardware 
unit is diverse generating a safety related header for the bus communication (e.g., pg. 287: "This 
safety protocol is. . .implemented in the fail-safe I/O modules"). 
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Response to Arguments 

Applicant's arguments filed 09/10/09 have been fully considered but they are not 
persuasive. Applicant argues that Schenk does not disclose attaching a safety-hardware unit to a 
single controller. However, Schenk discloses attaching to a single controller (e.g.. Fig. 1: "1 

standard CPU 417-4H") a safety-hardware unit (e.g., Fig. 1: "fail-safe I/O module"). So, Fig. 1 
of Schenk clearly depicts two separate physical units, not a single physical unit as argued by 
Applicant. 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to RYAN A. JARRETT whose telephone number is (571)272-3742. 
The examiner can normally be reached on 10:00-6:30 M-F. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Albert Decady can be reached on (571) 272-3819. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published appUcations 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Ryan A. Jarrett/ 

Primary Examiner, Art Unit 2121 

11/06/09 



